CVE-2025-6488 is a stored Cross-Site Scripting (XSS) vulnerability affecting the isMobile() shortcode plugin for WordPress developed by jairoochoa. This vulnerability arises from improper neutralization of input during web page generation (CWE-79). Specifically, the plugin fails to adequately sanitize and escape the 'device' parameter, allowing authenticated users with Contributor-level access or higher to inject arbitrary JavaScript code into WordPress pages. When other users visit these compromised pages, the injected scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or distribution of malware. The vulnerability affects all versions up to and including 1.1.1 of the plugin. The CVSS 3.1 base score is 6.4 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the contributor level, but does not require user interaction. The scope is changed, indicating that the vulnerability can affect resources beyond the initially vulnerable component, and the impact is limited to confidentiality and integrity, with no availability impact. No known exploits are currently reported in the wild, and no official patches have been released yet. The vulnerability was published on June 27, 2025, with the reservation date on June 21, 2025. The isMobile() shortcode plugin is used to detect mobile devices and customize content accordingly, making it a common utility in WordPress sites aiming for responsive design or device-specific content delivery.

For European organizations, this vulnerability poses a significant risk especially to those relying on WordPress sites with the isMobile() shortcode plugin installed. Attackers with contributor-level access—often achievable through compromised accounts or insider threats—can inject malicious scripts that execute in the browsers of site visitors, including customers, employees, or partners. This can lead to theft of authentication cookies, unauthorized actions performed on behalf of users, defacement, or distribution of malware. The confidentiality and integrity of user data and site content are at risk, potentially damaging organizational reputation and violating data protection regulations such as GDPR. Since WordPress powers a substantial portion of European websites, including corporate, governmental, and e-commerce platforms, the attack surface is broad. The absence of a patch increases exposure time, and the medium severity score suggests that while exploitation is not trivial, it is feasible and impactful enough to warrant urgent attention.

Organizations should immediately audit their WordPress installations to identify the presence of the isMobile() shortcode plugin. If found, restrict Contributor-level access strictly to trusted users and review existing user roles for potential misuse. Implement Web Application Firewall (WAF) rules to detect and block suspicious payloads targeting the 'device' parameter. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Monitor logs for unusual activity related to shortcode usage or parameter injection. Until an official patch is released, consider disabling the plugin or replacing its functionality with alternative, secure plugins. Additionally, conduct regular security training for content contributors to reduce the risk of accidental injection. Finally, keep abreast of updates from the plugin developer and apply patches promptly once available.